terça-feira, junho 24, 2014

JackPOS - Another Credit Card Stealer

In a previous blog post on Dexter, we briefly mentioned a new strain of point-of sale (PoS) malware that has compromised over 4,500 credit cards in the United States and Canada. This new strain of malware, dubbed JackPOS, was detected early this year and between then and the time of writing, has had just one version, but with multiple variants.
In this blog post, we look briefly at the unique attributes of JackPOS: its custom pattern matching and its command-and-control (C&C) communication. We will conclude with quick remarks on the newest variant that was found in April.

Custom Pattern Matching

As we now know, POS malware will first dump the process memory, extract the Track 1 and/or Track 2 data information, and finally exfiltrate the stolen information to a C&C server. PoS malware can extract track data using one of two approaches: pattern matching or regular expression matching.
Custom pattern matching provides the malware authors with more control as to which type of cards to target or filter out. JackPOS’s custom pattern matching is unique as it is more specific compared to other families such as Dexter. JackPOS will only grab credit cards from specific credit card issuers. This is done by checking parts of the Issuer Identification Number (IIN), which consists of the first few digits of the Primary Account Number (PAN).
The table below shows the first digits of the IINs that JackPOS checks for, and the corresponding credit card companies.
JackPOS Table 1
Table 1. Targetted IINs and credit card companies.

C&C Communication

JackPOS makes an HTTP GET request to the hardcoded URL http://[REMOVED]/post/echo, checking for the response "up". After ensuring that the server is up and running, the infected machine registers itself with the C&C through HTTP on TCP port 80 using the standard WinINet APIs: InternetOpenW, InternetConnectW, HttpOpenRequestW, and HttpSendRequestW.
The table below shows these APIs and the parameters used.
JackPOS Table 2
Table 2. The WinINet APIs and parameters.
The content of the HTTP field-value pairs are described below.
JackPOS Table 3
Table 3. The HTTP field-value pairs.
The figure below shows an example of credit card information being exfiltrated to the C&C server. As we can see, the Track 1 and Track 2 data are simply encoded with the Base64 algorithm.
JackPOS Fig 1
Figure 1. Credit card information being exfiltrated by JackPOS.

The C&C Server Commands

The response from the C&C server can be one of three commands:
1) "update" : download and update • Connects to http://{Removed}/post/download and downloads a file to the user's Application Data folder. The filename used is selected from a list of strings that are in the malware body.
JackPOS Fig 2
Figure 2. List of filenames in the malware body.
• Updates the autorun registry entries to point to the updated file.
2) "exec" : download and execute. There is one parameter used in this command, which is the URL from which the malware will be downloaded. • Saves the executable to %Temp%\[filename].exe, then executes it. 3) "kill" • Deletes all registry entries associated with the malware. • Kills the malware process.

New Variant

In April, we acquired what appeared to be a new variant of JackPOS. After completing our analysis, we concluded that the sample from April varies only slightly from the original version. As we like to say, it is ‘old water with a new bottle’. The only significant difference is the fact that the April version is packed with a custom packing algorithm.
It is interesting to note that the strings showing the compilation path of the malware in this April version have been modified from the February versions:
1) February version • C:\Users\ziedpirate.ziedpirate-PC\Desktop\sop\sop\Release\sop.pdbC:\Users\ziedpirate.ziedpirate-PC\Desktop\sop\sop\Release\svchost.pdb
2) April version • I:\hack\dev\pos\sop\Release\sop.pdbI:\hack\dev\pos\sop\Release\svhost.pdb
As we can see, the PDB strings in the February version had revealed the Windows user account name of the malware author. From the change in these strings, we can consider two possibilities: either (1) the project was moved and recompiled in an effort to correct this; or (2) the project source code is now in the hands of other malware authors.
font: https://blog.fortinet.com/JackPOS-----Another-Credit-Card-Stealer/ 

0 comentários:

Postar um comentário